?
Solved

Please help me with this system security log

Posted on 2010-04-05
4
Medium Priority
?
4,527 Views
Last Modified: 2012-05-09

I was poking around on my computer tonight and found this system log. Actually there were five or six events that occurred around this same time. That would be at 3:16:47 AM this morning while everyone in our house was sound asleep. We have a wireless router, but it is encrypted. We are more security aware than most people but we could be infected.  Please see the log below. Thank you!


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/5/2010 3:16:47 AM
Event ID:      5061
Task Category: System Integrity
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      MikeAdams
Description:
Cryptographic operation.

Subject:
      Security ID:            LOCAL SERVICE
      Account Name:            LOCAL SERVICE
      Account Domain:            NT AUTHORITY
      Logon ID:            0x3e5

Cryptographic Parameters:
      Provider Name:      Microsoft Software Key Storage Provider
      Algorithm Name:      RSA
      Key Name:      eff52a01-bafe-4aa3-9fce-427b8febfdc3
      Key Type:      Machine key.

Cryptographic Operation:
      Operation:      Open Key.
      Return Code:      0x0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>5061</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2010-04-05T08:16:47.036717100Z" />
    <EventRecordID>5703</EventRecordID>
    <Correlation />
    <Execution ProcessID="600" ThreadID="5428" />
    <Channel>Security</Channel>
    <Computer>MikeAdams</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-19</Data>
    <Data Name="SubjectUserName">LOCAL SERVICE</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e5</Data>
    <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
    <Data Name="AlgorithmName">RSA</Data>
    <Data Name="KeyName">eff52a01-bafe-4aa3-9fce-427b8febfdc3</Data>
    <Data Name="KeyType">%%2499</Data>
    <Data Name="Operation">%%2480</Data>
    <Data Name="ReturnCode">0x0</Data>
  </EventData>
</Event>
0
Comment
Question by:SMPC
  • 2
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 2000 total points
ID: 29880616
Dear SMPC,

this event originates from the Security Auditing running on your computer(s).
It reflect a successful audit event, of a local service opening the computer (machine) key.
From this event it is not possible conclude whether a rogue local service is running, but it is my doubt.
You can read more about this event on many www.technet.com pages, but I find the following most valuable:
http://support.microsoft.com/kb/977519

E.g. if you desire to drill further into the specific event, check out the reference to wevtutil

Kind regards,
Soren
0
 
LVL 1

Author Comment

by:SMPC
ID: 29885155
Thank you Soren. I will view the suggested pages and read them. I knew it was a cryptographic event and that is what concerned me. What would my computer be doing at 0316 hours without any human at the keyboard when the system was supposed to be asleep? Perhaps it was only getting an update?
 
Thanks you once more,
 
Mike
0
 
LVL 11

Expert Comment

by:slemmesmi
ID: 29885660
Dear Mike,

your computer is doing plenty even when an interactive user is not logged on (even at 0316).
As you suggest, it could be checking for updates (e.g. for Windows/Microsoft Update), perfomance collections, renewing IP, services (such as IIS) may be installed and running on the computer, "housekeeping", and so forth.
You may find more by looking into the SystemLog and ApplicationLog of the EventLog, looking at what (else) was taking place at 0316.

Kind regards,
Soren
0
 
LVL 1

Author Closing Comment

by:SMPC
ID: 31711574
Thank you! We feel better. Mike
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
A simple method to resolve a "keyboard not working" problem by modifying the Windows registry. This issue can often be encountered after using the VMware vCenter Converter Standalone Agent to perform a Physical-to-Virtual (P2V) conversion process.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses
Course of the Month7 days, 4 hours left to enroll

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question